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new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


() Yes 

No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


More detailed guidance for organisations required on several areas, particularly on how to respond to 
complex and burdensome SARs (see response to Qs 4, 6 and 8 for more detail). 


Q3 Does the draft guidance contain enough examples? 
() Yes 
© No 
C) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


See response to Q4 and 8 for more detail. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


As DPO the organisations we support often come to us with burdensome access 
requests from former/disgruntled employees. Scenario one: an employee submitted 
a SAR prior to agreeing settlement terms, then agreed to withdraw the SAR for a 
benefit (although he did not 'offer' as per the guidance, to do this, he agreed to it 
and ultimately it was part of the settlement/exit deal). He then resubmitted the 
exact same SAR a couple of weeks after receiving his settlement payment and 
signing the settlement agreement. It would be useful to understand if an 
organisation can rely on the 'excessive' reason or if this individual can be deemed 
'malicious' in intent in these or similar circumstances. Scenario two: it would be 
useful to understand where an employee has agreed settlement terms, 
compromising all rights against the company/employees etc, the extent to which an 
organisation can rely on a 'malicious intent' defence on the basis that the SAR has 
been submitted purely for the purpose of causing disruption - in one situation that 
we encountered upon being asked to clarify his request, an individual specified that 
his purpose for submitting the SAR after he had signed a settlement agreement and 
been paid was essentially 'to sue' the organisation. The legal advice was that the 
settlement agreement was watertight, so the scope for litigation was nonexistent, 
therefore we concluded that as his stated purpose could not be achieved, the 
purpose must have been malicious/to cause disruption (this was also supported by 
the individual's behaviour). 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


Q6 Why have you given this score? 


There are some areas that we would have liked to have seen clarified. On the 
whole, we feel that the new guidance is not particularly sympathetic to small/med 
sized businesses who do not potentially have the resources to compliantly deal with 
a subject access request which relates to thousands of documents in a timely 
manner. Whilst we recognise the importance of upholding individual rights, we feel 
that, based on recent experience it should be recognised that individuals and their 
advisers are becoming more adept at using the SAR process to frustrate an 


organisation and cause inconvenience, which is not within the spirit of the GDPR 
legislation. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© O 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Further to reading this guidance the outstanding questions we have are as follows: - 
p.30 clarifies that individuals are entitled to their PD rather than copies of 
documents, therefore would it be acceptable for an organisation to supply an excel 
spreadsheet (for example) with the personal data extracted from the documents in 
question? this would be helpful where a SAR search throws up several thousand 
hits. - see above re question regarding the effect signing a settlement agreement 
might have on an organisations ability to infer that a data subject's intentions are 
malicious. - the new guidance appears to deliberately omitted a line from v.1.2. 
(p.28) which specifies that where a controller asks a data subject to clarify the 
scope of a SAR they 'need not comply with a SAR until they receive it'. Has this 
been deliberately withdrawn? This was quite a useful tool for organisations when 
receiving a SAR which relates to several thousand documents. - it would be useful to 
have more information about when an organisation is able to rely on 'management 
information' - the only example in the new guidance relates to a redundancy scheme 
which appears to place the threshold very high - what about other sensitive 
commercial information, customer lists etc, which a former employee may be able to 
exploit? 


Are you answering as: 
O An individual acting in a private capacity (eg someone providing their views as a member of the public) 
© An individual acting in a professional capacity 
©) On behalf of an organisation 

() Other 

Please specify the name of your organisation: 


What sector are you from: 
Data Protection Officer - Lawpoint 


Q10 How did you find out about this survey? 
(C) ICO Twitter account 
C) ICO Facebook account 
©) ICO Linkedln account 
C `) ICO website 
(_) ICO newsletter 
(_) ICO staff member 
(_) Colleague 
(_) Personal/work Twitter account 
(`) Personal/work Facebook account 
(C) Personal/work LinkedIn account 
“` Other 
If other please specify: 


